Hi All, This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
Copied & pasted examples: (note: root has logged into console tty1 after the user has logged into his desktop on tty7, then root has logged in again via shell on the user's desktop.) as user: > [EMAIL PROTECTED]:~> who > [EMAIL PROTECTED]:~> > [EMAIL PROTECTED]:~> who -a > [EMAIL PROTECTED]:~> > [EMAIL PROTECTED]:~> who -m > [EMAIL PROTECTED]:~> > [EMAIL PROTECTED]:~> who -u > [EMAIL PROTECTED]:~> as root: > linux:~ # who > linux:~ # > linux:~ # who -a > linux:~ # > linux:~ # who -m > linux:~ # > linux:~ # who -u > linux:~ # Additional info: > linux:~ # which who > /usr/bin/who > linux:~ # l /usr/bin/who > -rwxr-xr-x 1 root root 25204 2006-01-31 11:28 /usr/bin/who* > linux:~ # file /usr/bin/who > /usr/bin/who: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for > GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped All ideas/hints gratefully appreciated and a happy new year to all of you! regards, Carl -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
